In June 2023, The European Commission unveiled two significant legislative proposals: the third Payment Services Directive (PSD3)^[1] and the Payment Services Regulation (PSR)^[2]. These updates are designed to replace the existing framework under PSD2, which has been in place since 2015. PSD3 and PSR aim to modernise and strengthen the regulatory environment for payment services across the European Union, ensuring that it keeps pace with the rapid advancements in digital finance. These texts introduce crucial changes that will shape the future of innovation, competition, and security in the payment service industry.

By tightening regulatory oversight, enhancing consumer protections, and enabling a more competitive landscape, these proposals will both address current challenges and set the stage for the next wave of Fintech evolution.

Key Changes and Innovations

Merging of E-Money and Payment Services

One of the most significant updates is the merging of the E-Money Directive with the Payment Services Directive^[3]. This integration aims to create a unified regulatory framework for both payment institutions and electronic money institutions, reducing the complexity that previously existed between these two sectors.

While this merger does streamline the regulatory framework, it may not necessarily lower barriers to entry. The requirements for an e-money license are expected to remain the same, if not become more stringent, which could limit the ease with which new players can enter the market. Previously, a Payment Institution (PI) license, and in some countries a Small Payment Institution, license, offered a more accessible entry point for smaller firms to establish themselves. However, the increased regulatory rigor could enhance banks’ confidence in providing transactional banking services to licensed entities, as they benefit from stronger compliance measures.

Strengthened Regulatory Oversight

PSD3 introduces more stringent licensing and authorisation requirements for payment service providers. These include higher capital requirements^[4], mandatory winding-up plans^[5], and a more streamlined authorisation process^[6]. The aim here is to enhance the stability and reliability of payment services across the EU.

While these changes are designed to increase consumer trust and market integrity, they also pose significant challenges for smaller Fintech firms. The increased compliance demands may strain resources, particularly for startups and smaller companies, potentially leading to market consolidation as these firms struggle to meet the new requirements^[7].

Enhanced Open Banking and Open Finance

PSD3 also brings significant enhancements to the Open Banking framework, including clearer guidelines for improved user protection and confidence, and expanded access rights for third-party providers. These changes are intended to remove existing barriers and improve the functionality of open banking across the EU^[8]. The new rules offer an opportunity to deliver more robust and competitive services. Improved standards (dedicated data access interface^[9] for ASPSPs^[10] etc.) and increased access rights will enable Fintechs to integrate more seamlessly with banks, enhancing their ability to innovate and provide better services to consumers. Conversely, firms must also invest in more reliable infrastructure to remain competitive.

Security and Consumer Protection

Strong Customer Authentication (SCA)

Regarding PSR and according to EY^[11], “A significant change in the cybersecurity domain is the expansion of security requirements to encompass payment card schemes, payment gateways, and merchants. The regulation also now covers third parties to whom technical, operational, and communication services have been outsourced. This mandates more parties in the payment chains to implement systems such as Strong Customer Authentication (SCA)^[12] to bolster payment security.” The new rules also introduce other rigorous fraud prevention mechanisms, including enhanced transaction monitoring^[13] and stricter liability rules.

Anti-Fraud Measures

Alongside the strengthened SCA, PSR introduces several new anti-fraud measures aimed at safeguarding consumer transactions. Key among these is the mandatory IBAN-name matching for credit transfers, which helps verify that the payee’s details match the intended recipient^[14]. Additionally, the regulation promotes enhanced data-sharing protocols^[15] among payment service providers to detect and prevent fraudulent activities more effectively.

While these measures may increase operational complexity, they are essential for maintaining a secure and trustworthy service in the eyes of consumers and regulators alike.

Conclusion

Regulations streamlining, better consumer protection, more competitive market… These proposals are set to significantly reshape the landscape of digital payments. For Fintech companies, this evolution presents both challenges and opportunities: while increased market compliance demands may strain resources, especially for small players, the potential for innovation and improved security offers a pathway to greater trust and adoption in the market.

Firms that adapt quickly and invest in strengthening their infrastructure and compliance frameworks will be well-positioned to thrive in this new era. PSD3 and PSR are not just regulatory updates, they bring the foundation for the next waves of innovation and growth in payment services.

Curious to learn more about E-Money services and how they’re shaping the future of finance? Dive into the latest insights on regulatory updates, market trends, and opportunities for innovation!

Notes:

Featured image source : Midjourney

^{[1] Proposal for a Directive of the European Parliament and the Council on payment services and electronic money services in the Internal Market amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52023PC0366}

^{[2] Proposal for a Regulation of the European Parliament and of the Council on payment services in the internal market and amending Regulation (EU) No 1093/2010 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52023PC0367}

^{[3] See Recital 5 of PSD3: “Even though the issuance of electronic money is regulated under Directive 2009/110/EC of the European Parliament and of the Council,31 the use of electronic money to fund payment transactions is to a very large extent regulated by Directive (EU) 2015/2366. Consequently, the legal framework applicable to electronic money institutions and payment institutions, in particular with regard to the conduct of business rules, is already substantially aligned. (…) It is therefore appropriate that the authorisation and supervision regime applicable to electronic money institutions is further aligned with the regime applicable to payment institutions.}

^{[4] See Recital 25 of PSD3: “To cater for the risks posed by their activities, payment institutions need to hold enough initial capital combined with own funds. Considering the possibility for payment institutions to engage in the wide range of activities covered by this Directive it is appropriate to adjust the level of the initial capital attached to individual services to the nature and the risks attached to these services.”}

^{[5] See the Explanatory Memorandum pf PSD3, p.7, “Licensing and supervision of payment service providers”: “The procedures for application for authorisation and control of shareholding are mostly unchanged from PSD2, with the exception of a new requirement for a winding-up plan to be submitted with an application, but made fully consistent for institutions providing payment services and electronic money services.”}

^{[6] See Recital 18 of PSD3: “To ensure a level playing field and a harmonised process for the granting of an authorisation to undertakings applying for a payment institution license, it is appropriate to impose to competent authorities a time limit of 3 months for the authorisation process to be concluded, after the receipt of all the information required for the decision.”}

^{[7] See articles 5 and 6 of PSD3.}

^{[8] See page 5 of PSD3: “There are four specific objectives of the initiative, corresponding to the identified problems: 1. Strengthen user protection and confidence in payments; 2. Improve the competitiveness of open banking services; 3. Improve enforcement and implementation in Member States; 4. Improve (direct or indirect) access to payment systems and bank accounts for non-bank PSPs.”}

^{[9] See p.5 of PSD3: “requirement for account servicing PSPs (ASPSPs) to put in place a dedicated data access interface; “permissions dashboards” to allow users to manage their granted open banking access permissions;”}

^{[10] Account Servicing Payment Service Providers}

^{[11] Rudrani Djwalapersad (22 Feb 2024) “PSD3 and PSR: regulatory uniformization for enhanced protection” https://www.ey.com/en_nl/cybersecurity/psd3-and-psr-regulatory-uniformization-for-enhanced-protection}

^{[12] See article 85 of the PSR.}

^{[13] See p.10 of the PSR, “Operational and security risks and authentication”: “A new provision is added requiring PSPs to have transaction monitoring mechanisms in place to provide for the application of strong customer authentication and to improve the prevention and detection of fraudulent transactions.”}

^{[14] See p.6 of the PSR: “Improvements to the application of SCA, (…) extension of IBAN verification to all credit transfers.” See Recital 104 of PSR: “‘Unique identifier’ should be understood as referring to ‘IBAN’“}

^{[15] See article 84 of the PSR: “Payment service providers shall alert their customers via all appropriate means and media when new forms of payment fraud emerge…”}

Regulatory bodies, like the Basel Committee on Banking Supervision, are evolving frameworks to ensure responsible innovation. Initiatives such as the EU’s Digital Operational Resilience Act^[1] aim to strengthen financial entities’ resilience against ICT-related incidents. To stay competitive banks must balance innovation with risk management, foster collaboration with regulators and technology partners, and adapt to the changing digital landscape.

Innovative technologies and applications

The Basel Committee on Banking Supervision recently published a report^[2] which considers the implications of the ongoing digitalisation of finance on banks and supervision. The section on “Innovative Technologies and Applications” presents several key technologies driving this phenomenon.

• Application Programming Interfaces (APIs) are pivotal in facilitating data sharing between applications, enabling real-time processing, and enhancing data connectivity. Banks leverage APIs for various functions, including mobile and open banking applications, where the financial data can be shared with third-party providers for personalised products and services; and internal system data management.
• Artificial Intelligence (AI) and Machine Learning (ML) are increasingly employed by banks, particularly in customer-facing services and revenue generation. These technologies allow computers to perform sophisticated tasks that previously required human intervention. The adoption of AI/ML technologies varies among banks, reflecting different levels of interest and implementation.
• Distributed Ledger Technology (DLT) is recognised for its role in providing secure, transparent, and decentralized record-keeping. Though specific details are sparse, DLT is acknowledged as a significant influence on the financial sector^[3], shaping how transactions and data are managed.
• Cloud computing is another crucial technology being widely adopted by banks. This trend is set to continue, indicating a growing reliance on cloud services for various operations within the banking industry.

All these technologies play a crucial role in reshaping the banking landscape and are essential components of the digital transformation in the financial sector.

New competitors and business models

The innovative technologies mentioned above have enabled the rise of new digital-only participants in the financial services sector, including neobanks, fintechs, and larger technology companies. These new competitors often hold advantages in data and technology, operating on digitally native platforms without the burden of legacy IT systems. This shift is reshaping the competitive landscape, particularly in payment services.

This influx of new entrants and the adoption of advanced technologies have prompted traditional banks to form strategic partnerships with various firms. For example, J.P. Morgan Payments provides embedded banking services on e-commerce platforms like Amazon, Macy’s Marketplace, and SalonCentric, serving as the invisible provider of banking services^[4]. Goldman Sachs partnered with Apple to launch the Apple Card, a credit card integrated with Apple’s ecosystem^[5]. These collaborations are transforming traditional banking businesses, introducing new channels and interconnections within the banking system; this evolution underscores the changing dynamics of a financial industry driven by technology.

Navigating the risks

Strategic Risks

Strategic risks emerge from the threats posed to a bank’s business strategy due to digitalisation. Banks must adapt to evolving customer preferences, competitive pressures, and technological advancements. Continuously evaluating and adjusting strategies is vital to remain in sync with the digital transformation sweeping through the financial sector.

How can banks adapt?

By investing in agile technology platforms that allow for rapid adjustments to shifting market demands and customer behaviours.

Reputational risks

Reputational risks arise from operational mishaps, regulatory non-compliance, or adverse public perception. The use of advanced technologies like AI and ML can result in unfair outcomes, tarnishing a bank’s reputation. Collaborations with non-bank entities also carry risks if problems occur^[6]. Upholding trust requires clear communication, transparency, and adherence to ethical standards.

How can banks adapt?

By implementing AI ethics committees to oversee the fairness and transparency of their AI/ML systems, and conducting appropriate due diligence on their collaborators and external service providers.

Operational risks

Operational risks encompass internal failures, external events, or flawed processes. Digitalisation heightens complexity and reliance on technology, which can increase the likelihood of operational issues. Strong risk management practices and internal controls are crucial to mitigate these risks and ensure technological robustness.

How can banks adapt?

By conducting regular cybersecurity drills and updating their internal control systems to handle new technological challenges.

Data issues and related risks

Data-related risks involve challenges in data governance, privacy, security, and compliance. Effective data management is essential for protecting customer information and meeting regulatory requirements. Banks need to implement robust data governance frameworks and security measures to prevent data breaches and misuse.

How can banks adapt?

by adopting advanced encryption methods and regularly auditing their data governance protocols to ensure compliance.

Financial stability risks

Digitalisation introduces systemic risks that may affect financial stability. Greater interconnections with fintechs and tech firms add to the complexity. Rapid technological scaling can expose systemic vulnerabilities. Regulators must monitor and manage these risks to maintain the financial system’s resilience.

How can banks adapt?

By collaborating with regulators to develop frameworks that address the complexities introduced by fintech partnerships and technological innovations.

Conclusion

The digitalisation of finance, driven by cutting-edge technologies like AI, ML, DLT, and cloud computing, opens up a world of unprecedented opportunities for banks while also presenting significant risks. To stay ahead in this dynamic landscape and meet the ever-evolving customer preferences, banks must continuously innovate and adapt their strategies. Embracing effective governance, robust risk management, and comprehensive data governance frameworks is essential to prevent operational failures, data breaches, and regulatory non-compliance.

As digitalisation increases interconnections within the financial system, systemic risks emerge, demanding vigilant oversight and flexible regulatory frameworks. For banks and regulators, working together is vital to foster responsible innovation and ensure financial stability. By skillfully balancing innovation with strategic risk management, banks can master the digital transformation, seize new opportunities, and strengthen their resilience.

To learn more about how AI, ML, DLT, and cloud computing are shaping the future of finance and explore our dynamic startup ecosystem, visit the LHoFT website. Discover the resources and opportunities we offer to support your journey in the digital financial landscape.

Featured image source : Midjourney

^{[1] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32022R2554
[2] https://www.bis.org/bcbs/publ/d575.htm
[3] See “Distributed ledger technology in payment, clearing and settlement – an analytical framework” (27 February 2017) https://www.bis.org/cpmi/publ/d157.htm
[4] https://www.americanbanker.com/payments/news/jpmorgan-details-its-invisible-role-with-amazon-and-others
[5] https://www.apple.com/apple-card/
[6] See the case of JPMorgan against Fintech startup Frank: https://www.fastcompany.com/90834226/jpmorgan-chase-frank-closed-student-aid-startup-fake-users}